0

When is the protocol required in http/https requests URLs Are there any pros or cons of doing one way or the other? Whether or not it is absolutely required, is there a considered a best practice?

For instance, all of the following links are valid since if the protocol is not specified, it defaults to the current page request.

<img class="map" src="https://maps.google.com/maps/api/staticmap?markers=color" alt="Map" />

<img class="map" src="//maps.google.com/maps/api/staticmap?markers=color" alt="Map" />

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>

Another similar application would be curl requests. I expect protocol is required, but am not certain.

$c = curl_init();
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_URL, "https://maps.google.com/maps/api/geocode/json?sensor=false&address=xyz");
user1032531
  • 24,767
  • 68
  • 217
  • 387
  • 1
    I dont understand the question... You present two urls which both has https as their protocol... Can you rephrase your question so it makes sense? – EJTH May 19 '15 at 13:19
  • 1
    `src="acme.org/img.gif"` - is `acme.org` a directory name or a host name? Specify the protocol (or //) when required in HTML. As for a library it depends on the implementation; its optional in CURL which will try HTTP, then FTP and so on. – Alex K. May 19 '15 at 13:19
  • Note that if you wan't to just use the same protocol which is being used to serve the html page in a browser, you can simple use `` this will use whatever protocol was used when retrieving the HTML source. – EJTH May 19 '15 at 13:26
  • @AlexK. A host name since it was prefaced with `//`. Good point about a library being based on its implementation. – user1032531 May 19 '15 at 13:54

2 Answers2

1

I think that adding protocol is a good practice, it simplify the understanding of the url for both a human and the computer.

What i use when i'm coding is :

  • Add the protocol when requesting a external url (absolute path)
  • Don't add the protocol for relative url (as it won't work to put the protocol, so...obvious)
Fabrice Kabongo
  • 671
  • 10
  • 23
1

The biggest thing to consider is whether or not you have any sensitive information you are transporting over the wire. Are your users logged in? Are you asking for sensitive information from your users? In any case, everything on the page should follow the same protocol as the parent page. This is where URLs beginning with double slashes // are handy as it will use whatever the parent page uses. If the current page is being served over HTTP, then all your images and scripts will too. HTTP is slightly more performant than HTTPS as the SSL handshake doesn't need to happen, however anybody (hackers) can see everything that your users can see.

Consider this scenario - your users log in, your server sets a session cookie, and then you take the user to the "My Account" page. If you were to serve a javascript file or image on this page over HTTP (not HTTPS), then some hacker could hijack the users session cookie and view the "My Account" page as well. They could then go and do anything that user could do. Fortunately, most browsers today will prevent this from happening and will warn the user that "this page is trying to load insecure content".

If you are still confused, then always use HTTPS and just stick with that until you understand it.

Ryan Wheale
  • 26,022
  • 8
  • 76
  • 96